[Date Prev][Date Next] [Chronological] [Thread] [Top]

multi-valued userPassword (was: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt)

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: multi-valued userPassword (was: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt)
From: Michael Ströder <michael@stroeder.com>
Date: Tue, 27 May 2003 10:43:28 +0200
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <5.2.0.9.0.20030523163225.0278b740@127.0.0.1>
References: <5.2.0.9.0.20030523163225.0278b740@127.0.0.1>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3.1) Gecko/20030425

HI!

Another issue:
Any reasonable *and* secure use-case for having multi-valued userPassword?

Maybe it's worth to note in section 'Security Considerations' that multiple attribute values for userPassword should be avoided. Especially reset/deletion of a password by an admin without knowing the old user password gets tricky or impossible if multiple values for different applications are present. This also somewhat relates to a similar discussion on ldap-ext list about possibly multi-valued attributes in draft-behera-ldap-password-policy.

The only use-case I could imagine for having multiple userPassword attribute values was working around the Octet String problem storing the *same* password with various character sets/encodings.

Ciao, Michael.

Follow-Ups:
- Re: multi-valued userPassword (was: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt
Next by Date: Re: multi-valued userPassword (was: IETF ldapbis WG Last Call: draft-ietf-ldapbis-user-schema-05.txt)
Index(es):
- Chronological
- Thread